Bug Description

In our configuration, nearly all users are granted access to the system via pam. The User Accounts dialog in Settings shows only a single user which was created at install time...and I'm not sure where from, because we preseed "d-i passwd/make-user boolean false" to try and inhibit the initial user account.

We control access with pam_krb5 in common-auth, and pam_access in common-account, and we want all users passed by that method to be able to log in (and pam_access is using netgroups to decide which users should be permitted).

So, in this world, I have one account known to the Accounts Manager, and it's the only one which lightdm will let me use: I get no "other user" dialog of any kind. This is a serious bug.

We have the standard unity-greeter.conf and access.conf in /etc/lightdm (though the latter is supposedly unused). Our lightdm.conf contains this:

No. We are fine with users who have already logged in having their username visible; that's helpful.

It's not a lightdm issue, but I'm really quite flabbergasted how even one user shows up in the accounts manager before anyone has logged in, on our configuration. In any case, we like the idea that if a user has logged in on the system they'll be listed in the accounts manager and lightdm won't hide their username.

But there must always be an "other accounts" if PAM might let in people that the accounts manager does not know about.

I hope I'm really clear with this...this bug is not merely a cosmetic bug. It makes the system completely unusable...

Could you clarify the use case you are talking about? The cases we have designed for are:

1. Home users, who have a fixed number of users that are displayed in the greeter
2. Network logins where the user list cannot be easily displayed (it is too long or unable to be downloaded)
3. Home/Network logins where security is an issue (they don't want any users being displayed).

Are you expecting case 2 except users that are currently logged in are shown? Or case 2 where the last n users are remembered and shown (as a shortcut to avoid typing common usernames).

I'll open a design task against this so this new case is handled if appropriate.

We're case 2. Listing all the users is impossible anyhow. Where would you
get the list? But we're OK I believe with listing those who have logged in
before on the particular machine. That's not essential however.

Right now the "other" selector is totally missing. It should be impossible
for that to happen no matter what is in the accounts manager.

> Hi Thomas,
>
> Could you clarify the use case you are talking about? The cases we
> have designed for are:
>
> 1. Home users, who have a fixed number of users that are displayed in the
> greeter
> 2. Network logins where the user list cannot be easily displayed (it is
> too long or unable to be downloaded)
> 3. Home/Network logins where security is an issue (they don't want any
> users being displayed).
>
> Are you expecting case 2 except users that are currently logged in are
> shown? Or case 2 where the last n users are remembered and shown (as a
> shortcut to avoid typing common usernames).
>
> I'll open a design task against this so this new case is handled if
> appropriate.
>
> ** Also affects: ayatana-design
> Importance: Undecided
> Status: New
>
> --
> You received this bug notification because you are a member of Goobuntu
> Team, which is subscribed to the bug report.
> https://bugs.launchpad.net/bugs/921315
>
> Title:
> lightdm greeter provides no access to pam accounts
>
> Status in Ayatana Design:
> New
> Status in “lightdm” package in Ubuntu:
> Triaged
>
> Bug description:
> In our configuration, nearly all users are granted access to the
> system via pam. The User Accounts dialog in Settings shows only a
> single user which was created at install time...and I'm not sure where
> from, because we preseed "d-i passwd/make-user boolean false" to try
> and inhibit the initial user account.
>
> We control access with pam_krb5 in common-auth, and pam_access in
> common-account, and we want all users passed by that method to be able
> to log in (and pam_access is using netgroups to decide which users
> should be permitted).
>
> So, in this world, I have one account known to the Accounts Manager,
> and it's the only one which lightdm will let me use: I get no "other
> user" dialog of any kind. This is a serious bug.
>
> We have the standard unity-greeter.conf and access.conf in
> /etc/lightdm (though the latter is supposedly unused). Our
> lightdm.conf contains this:
>
> [SeatDefaults]
> greeter-session=unity-greeter
> user-session=ubuntu
> allow-guest=false
> autologin-user=
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ayatana-design/+bug/921315/+subscriptions
>

I have confirmed that adding "greeter-hide-users=true" in the SeatDefaults stanza of lightdm.conf fixes the problem.

We would still like to have the behavior I saw before, where if a user was known to the accounts manager, they would be listed, but there was always an "other" box also. However, this workaround is acceptable (and certainly no worse than gdm--lightdm is still very very nice), so fixing the bug itself is now lower priority for us.

John, I'm confused by why you think this is a dup of bug #844039. That bug requests that the Other option be disabled. This bug complains the opposite: that it *is* disabled, even when it should not be.